Facebook
Twitter
-
If you are still using CentOS 7.9, it's time to convert to Alma 8 with the free centos2alma tool by Plesk or Plesk Migrator. Please let us know your experiences or concerns in this thread:
CentOS2Alma discussion -
Inviting everyone to the UX test of a new security feature in the WP Toolkit
For WordPress site owners, threats posed by hackers are ever-present. Because of this, we are developing a new security feature for the WP Toolkit. If the topic of WordPress website security is relevant to you, we would be grateful if you could share your experience and help us test the usability of this feature. We invite you to join us for a 1-hour online session via Google Meet. Select a convenient meeting time with our friendly UX staff here.
Question SMTP spam attack
- Thread starter caygri
- Start date
What about using fail2ban Plesk feature? Especially plesk-postfix jail - Fail2Ban Jails Management
Fail2ban cannot be used in this case, because it will only block attacks on the system be incoming mail. But here the issue is that outgoing mail is sent from the system.
The first step to identify the source of the issue is to turn on "outgoing mail control" on and set it to a low value, e.g. 30 mails/hour server-wide.
Tools & Settings > Mail Server Settings > Switch on limitations on outgoing email messages > Default limit on outgoing messages from a subscription (per hour): "30".
Then wait until the outgoing mail statistics are updated. You can then directly see which domains are sending the mail. Disable the domains.
Then examine in /var/log/maillog whether the spam was sent via SMTP login in a mailbox or if it is sent through a website script. When it is sent by a mailbox login, you will find plenty of
... postfix/pickup[<number>]: ...
lines for the according domains or mailbox in the log. If you cannot see the pickup in the maillog, the spam is sent by a website script that is running on localhost. As you have already turned the domain of, you will not see that "live".
Normally, when spam is sent by SMTP login, you must first remove the viruses and trojans from all systems that could have access to the mailbox. Else a password change won't help, because keyloggers will immediately transmit the new password to the hacker or the virus will use an updated mail client profile to continue sending spam.
If the spam is sent by a website script, this is normally done by encrypted .php scripts. You can run a command like
egrep -r -i --include=\*.php '64_decode|edoced_46' --exclude-dir={system,logs,bin,dev,etc,lib,lib64,sbin,usr,var,tmp} /var/www/vhosts/<DOMAIN>/httpdocs
to get a list of all base64 encoded script lines. Some will be o.k. (the short ones), but all longer lines that are running over several lines on your screen and are encrypted, are very likely malware. Now that you have identified the malicious scripts, delete them. Normally such scripts are installed by a backdoor in either poorly made software plugins or malicious software plugins or modules (e.g. for Wordpress or Joomla).
The third but rare possibility is that neither the standard SMTP service sends spam by a login, nor a website is submitting spam to the service, but a stand-alone SMTP server (normally "Exim") was launched by an executable /tmp directory. It can easily be found by
# ps -aux | grep exim
The first step to identify the source of the issue is to turn on "outgoing mail control" on and set it to a low value, e.g. 30 mails/hour server-wide.
Tools & Settings > Mail Server Settings > Switch on limitations on outgoing email messages > Default limit on outgoing messages from a subscription (per hour): "30".
Then wait until the outgoing mail statistics are updated. You can then directly see which domains are sending the mail. Disable the domains.
Then examine in /var/log/maillog whether the spam was sent via SMTP login in a mailbox or if it is sent through a website script. When it is sent by a mailbox login, you will find plenty of
... postfix/pickup[<number>]: ...
lines for the according domains or mailbox in the log. If you cannot see the pickup in the maillog, the spam is sent by a website script that is running on localhost. As you have already turned the domain of, you will not see that "live".
Normally, when spam is sent by SMTP login, you must first remove the viruses and trojans from all systems that could have access to the mailbox. Else a password change won't help, because keyloggers will immediately transmit the new password to the hacker or the virus will use an updated mail client profile to continue sending spam.
If the spam is sent by a website script, this is normally done by encrypted .php scripts. You can run a command like
egrep -r -i --include=\*.php '64_decode|edoced_46' --exclude-dir={system,logs,bin,dev,etc,lib,lib64,sbin,usr,var,tmp} /var/www/vhosts/<DOMAIN>/httpdocs
to get a list of all base64 encoded script lines. Some will be o.k. (the short ones), but all longer lines that are running over several lines on your screen and are encrypted, are very likely malware. Now that you have identified the malicious scripts, delete them. Normally such scripts are installed by a backdoor in either poorly made software plugins or malicious software plugins or modules (e.g. for Wordpress or Joomla).
The third but rare possibility is that neither the standard SMTP service sends spam by a login, nor a website is submitting spam to the service, but a stand-alone SMTP server (normally "Exim") was launched by an executable /tmp directory. It can easily be found by
# ps -aux | grep exim
mixos
New Pleskian
Hi @Peter Debik, I have the same issue as above with many emails build up on the server email queue, and I moved forward to many actions, like disabling PostFix, changing email/FTP passwords, emptying the email queue, adding DMIK DNS entries, checking for malicious scripts on the server and deleted one that was suspicious, but when I re-enable PostFix the queue build up fast again, from outgoing emails. What else do you suggest to check ?
Seems like the emails were coming from the deleted script.
Seems like the emails were coming from the deleted script.
LTUser
Regular Pleskian
How to disable PHP mail() function for a spamming domain on Plesk for Linux server?
Applicable to: Plesk for Linux Question How to disable mail() function for a spamming domain on the Plesk server? Answer Disable mail() function for a subscription via GUI Log into Plesk ...
support.plesk.com
Similar threads
